activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: SSL authentication/authorization patch
Date Fri, 22 Sep 2006 20:57:11 GMT
Hi kelly I think that's allready supported.

The client can do something like ssl://localhost:61617?socket.socketOption=xxx

Not sure if the same works on the server side.  I have a feeling that
on the server side, it has to be:
ssl://localhost:61617?transport.socket.socketOption=xxx


On 9/22/06, Kelly Campbell <kelly.a.campbell@gmail.com> wrote:
> Thanks Sepand. I did review those instructions earlier.
>
> What about the other requirements to be able to set specific options
> on the socket, e.g. not allowing weak ciphers? I think having the
> config in the URL is good, but not sufficient in this case. I'd like
> to propose adding a SocketFactory parameter to a new constructor on
> the ActiveMQConnectionFactory (actually the code for this is almost
> complete). This would be useful for not only SSL connections, but
> other tcp connections if the user wants to customize some of the
> socket options.
>
> Thanks,
> Kelly
>
> On 9/21/06, Sepand M <sepandm@gmail.com> wrote:
> > Yeah, we realized this was needed, but I didn't have time (my work term
> > at the company was ending).
> > I've left instructions for people taking over this project on how to do
> > this (it just takes one setter and a well placed call from that setter).
> > I'm not sure when it will be done though.
> >
> > - Sepand
> >
> > Hiram Chirino wrote:
> > > On 9/21/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> > >> On 9/21/06, Kelly Campbell <kelly.a.campbell@gmail.com> wrote:
> > >> > Thanks for getting this submitted Sepand, and thanks for patching
> > >> it in Hiram.
> > >> >
> > >> > I'm looking at how best to configure the keystore settings more
> > >> > dynamically without using the default system properties or anything
in
> > >> > the URL. It looks like I'd need to be able to pass in a
> > >> > javax.net.ssl.SSLContext or SSLSocketFactory. I'd also like to be
able
> > >> > to pass these in so I can provide an implementation that does some
> > >> > extra security checks, e.g. checking that the server's DN is what
we
> > >> > expect, turning off weak ciphers.
> > >> >
> > >>
> > >> It would be nice if they were properties on the ssl transport server
> > >> so that you can configure them using the URI... like:
> > >>
> > >> ssl://localhost:61617?keystore=foo.ks&truststore=foo.ts
> > >>
> > >> > The part I'm struggling with now is where to create this API for the
> > >> > client. Should it be a new constructor on ActiveMQConnectionFactory,
> > >> > or should I add a new overridden ActiveMQSecureConnectionFactory?
Or
> > >> > should I just override it in my own code base, and not have this in
> > >> > the activemq code at all?
> > >>
> > >> Just add properties to the SslTransportServer and make sure they have
> > >> setters.
> > >>
> > >
> > > And properties to the SslTransport if you want to set those properties
> > > on the client connect URL
> > >
> > >> >
> > >> > Thanks,
> > >> > Kelly
> > >> >
> > >> > On 9/11/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
> > >> > > starting to look into it now. thx for the patch!
> > >> > >
> > >> > > On 9/5/06, Sepand M <sepandm@gmail.com> wrote:
> > >> > > > Hey guys,
> > >> > > >
> > >> > > > The patch is done.
> > >> > > > It's here: https://issues.apache.org/activemq/browse/AMQ-912
> > >> > > > Hope you like it.
> > >> > > > It would be really great if you could give an estimate of
when
> > >> you will
> > >> > > > decide if it goes in or not (although I doubt you can =)
).
> > >> > > >
> > >> > > > Regards,
> > >> > > > Sepand
> > >> > > >
> > >> > > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > Regards,
> > >> > > Hiram
> > >> > >
> > >> > > Blog: http://hiramchirino.com
> > >> > >
> > >> >
> > >>
> > >>
> > >> --
> > >> Regards,
> > >> Hiram
> > >>
> > >> Blog: http://hiramchirino.com
> > >>
> > >
> > >
> >
> >
>


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Mime
View raw message